- Jamf Nation Community
- Products
- Jamf Pro
- Delete expired certificates from Keychain
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-14-2017 07:07 AM
Hi,
We have a Configuration Profile pushing out our WiFi settings with certs currently, but recently the first batch started expiring. They get renewed, no problem, but the expired cert is left in the keychain.
I'm trying to script the removal of them using the following script, so they can't be selected for the wireless profile.
#!/bin/bash
# Grabs the expired certificate hashes
expired=$(security find-identity | grep EXPIRED | awk '{print $2}')
# Check for certs
if [ -z "$expired" ]
then
echo "No expired certificates, we're all good"
else
# Deletes the expired certs via their hash
echo "Deleting expired certs"
security delete-certificate -Z $expired
fi
exit 0 #successIf I run these commands locally on the machine, then it works no problem, but via a policy it always fails with:
'Unable to delete certificate matching "XXXXXXXX..."
Any thoughts? Is there a better way to manage certificates for WiFi profiles?
Thanks
Chris
Solved! Go to Solution.
Labels:
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-14-2017 07:22 AM
There is probably a more efficient way to do this honestly, but I generally do not need to deal with removing expired certs, plus we don't deploy them in the way you describe. So I don't think I can offer much advice there.
But to answer your question, the security command operates on the keychain of the account running the command by default, unless you specify a different keychain, OR, you run the entire command as the current user. Scripts running from Jamf Pro policies run as root, so the error is likely because it could not find and/or delete the keychain from the root account keychain, since that's not where it lives I'm assuming.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-14-2017 07:22 AM
There is probably a more efficient way to do this honestly, but I generally do not need to deal with removing expired certs, plus we don't deploy them in the way you describe. So I don't think I can offer much advice there.
But to answer your question, the security command operates on the keychain of the account running the command by default, unless you specify a different keychain, OR, you run the entire command as the current user. Scripts running from Jamf Pro policies run as root, so the error is likely because it could not find and/or delete the keychain from the root account keychain, since that's not where it lives I'm assuming.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-18-2017 01:01 PM
I would agree with mm2270. It's most likely that you're hitting the wrong keychain. Are the certificates installed into the the user's keychain or the system keychain?
If you know who the users are on a machine or the current user (both easily obtained in a script) then you could do a:
su {currentUser} -c "{your command here}"
This will run the command as that user so if it is in their keychain you should be able to get it. Hopefully that helps in some way.
Rob
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-22-2017 01:55 AM
Cheers guys, looks like that was the issue. Adding /Library/Keychains/System.keychain to the end of the final command seems to have fixed the issue. Thanks for the help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-31-2018 05:33 AM
This script works nicely but needs to be fixed a bit. It works great if it’s just one certificate but if it’s multiple you have to run it multiple times.
It probably needs some logic to iterate through and the variable to store multiple values
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
I have modify the script and used a loop to delete all expired certificate using user
USER=$(dscl . list /Users | grep -v '_\|nobody\|daemon\|root' | tail -n 1)
# Grabs the expired certificate hashes
expired=$(security find-identity | grep EXPIRED | awk '{print $2}')
# Grabs the expired certificate hashes
expired=$(security find-identity | grep EXPIRED)
# Check for certs
if [ -z "$expired" ]
then
echo "No expired certificates, we're all good"
else
# Deletes the expired certs via their hash
echo "Deleting expired certs"
# security delete-certificate -Z $expired
for i in $(security find-identity | grep EXPIRED | awk '{print $2}')
do
su $USER -c "security delete-certificate -Z $i"
done
fi
